The xz software package has been compromised by what appears to be a long and well-planned operation.
Assuming the perpetrator has the nation state resources behind them, which country is ultimately responsible? This includes all the intelligence agencies working for that country.
Please request new countries in comments; I'm willing to consider options for specific non-nation state operators if you have a good argument for it (so "Organized crime" as such won't do, but "OPEC" would)
If this turns out to be the work of a single or few talented individuals, resolves N/A.
I may bet in this market.
See also https://manifold.markets/retr0id/will-the-authors-of-the-xzutils-bac for an alternate view and more background.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor :
"I’ve now learned from another source that Cheong isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard) and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses J
and especially not Ji
). The Tan
last name is possible in Mandarin, but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor simply mashed plausible sounding Chinese names together."
@Blomfilter exactly. Very hard to know. Usually 4D chess explanations are wrong just by virtue of their complexity. But we're looking at a long con, and reasonably likely a state actor. They had to choose a name anyway, it makes sense that they would have chosen one that aligned with whatever their goals were. It's not that weird IMHO for there to be some intentional misdirection there.
Someone said the commit times generally lined up with business hours in China, including consideration of public holidays. I suspect that is one more dimension of chess than an attacker is likely to have played, though, since that would require ongoing inconvenience and effort, whereas the name was a one-off choice. So assuming it's correct that the timestamps do uniquely point to someone working business hours in China, I think that's pretty good evidence for it being someone located in China, working as part of their day job.
@chrisjbillington I've only seen a timestamp analysis that points to the EET timezone: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and